Left: | ||
Right: |
LEFT | RIGHT |
---|---|
1 #!/usr/bin/env python | 1 #!/usr/bin/env python |
2 | 2 |
3 from ConfigParser import SafeConfigParser | 3 from ConfigParser import SafeConfigParser |
4 import hashlib | 4 import hashlib |
5 import hmac | 5 import hmac |
6 import json | 6 import json |
7 import os | 7 import os |
8 import re | 8 import re |
9 import sys | 9 import sys |
10 import urllib | 10 import urllib |
11 | 11 |
12 OAUTH2_AUTHURL = 'https://accounts.google.com/o/oauth2/auth' | 12 OAUTH2_AUTHURL = 'https://accounts.google.com/o/oauth2/auth' |
13 OAUTH2_TOKENURL = 'https://accounts.google.com/o/oauth2/token' | 13 OAUTH2_TOKENURL = 'https://accounts.google.com/o/oauth2/token' |
14 OAUTH2_DATAURL = 'https://www.googleapis.com/plus/v1/people/me' | 14 OAUTH2_DATAURL = 'https://www.googleapis.com/plus/v1/people/me' |
15 OAUTH2_SCOPE = 'email' | 15 OAUTH2_SCOPE = 'email' |
16 | 16 |
17 OAUTH2_TOKEN_EXPIRATION = 5 * 60 | |
18 | |
17 def setup_paths(engine_dir): | 19 def setup_paths(engine_dir): |
18 sys.path.append(engine_dir) | 20 sys.path.append(engine_dir) |
19 | 21 |
20 import wrapper_util | 22 import wrapper_util |
21 paths = wrapper_util.Paths(engine_dir) | 23 paths = wrapper_util.Paths(engine_dir) |
22 script_name = os.path.basename(__file__) | 24 script_name = os.path.basename(__file__) |
23 sys.path[0:0] = paths.script_paths(script_name) | 25 sys.path[0:0] = paths.script_paths(script_name) |
24 return script_name, paths.script_file(script_name) | 26 return script_name, paths.script_file(script_name) |
25 | 27 |
26 def adjust_server_id(): | 28 def adjust_server_id(): |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
68 orig_create_cookie_data = login._create_cookie_data | 70 orig_create_cookie_data = login._create_cookie_data |
69 def _create_cookie_data(email, admin): | 71 def _create_cookie_data(email, admin): |
70 result = orig_create_cookie_data(email, admin) | 72 result = orig_create_cookie_data(email, admin) |
71 result += ':' + calculate_signature(result) | 73 result += ':' + calculate_signature(result) |
72 return result | 74 return result |
73 login._create_cookie_data = _create_cookie_data | 75 login._create_cookie_data = _create_cookie_data |
74 | 76 |
75 def enable_oauth2(client_id, client_secret, admins): | 77 def enable_oauth2(client_id, client_secret, admins): |
76 from google.appengine.tools.devappserver2 import login | 78 from google.appengine.tools.devappserver2 import login |
77 | 79 |
80 def request(method, url, data): | |
81 if method != 'POST': | |
82 url += '?' + urllib.urlencode(data) | |
83 data = None | |
84 else: | |
85 data = urllib.urlencode(data) | |
86 response = urllib.urlopen(url, data) | |
87 try: | |
88 return json.loads(response.read()) | |
89 finally: | |
90 response.close() | |
91 | |
92 token_cache = {} | |
93 def get_user_info(access_token): | |
94 email, is_admin, expiration = token_cache.get(access_token, (None, None, 0)) | |
95 now = time.mktime(time.gmtime()) | |
96 if now > expiration: | |
97 get_params = { | |
98 'access_token': access_token, | |
99 } | |
100 data = request('GET', OAUTH2_DATAURL, get_params) | |
101 emails = [e for e in data.get('emails') if e['type'] == 'account'] | |
102 if not emails: | |
103 return None, None | |
104 | |
105 email = emails[0]['value'] | |
106 is_admin = email in admins | |
107 | |
108 for token, (_, _, expiration) in token_cache.items(): | |
109 if now > expiration: | |
110 del token_cache[token] | |
111 token_cache[access_token] = (email, is_admin, now + OAUTH2_TOKEN_EXPIRATIO N) | |
112 return email, is_admin | |
113 | |
78 def get(self): | 114 def get(self): |
79 def request(method, url, data): | |
80 if method != 'POST': | |
81 url += '?' + urllib.urlencode(data) | |
82 data = None | |
83 else: | |
84 data = urllib.urlencode(data) | |
85 response = urllib.urlopen(url, data) | |
86 try: | |
87 return json.loads(response.read()) | |
88 finally: | |
89 response.close() | |
90 | |
91 def error(text): | 115 def error(text): |
92 self.response.status = 200 | 116 self.response.status = 200 |
93 self.response.headers['Content-Type'] = 'text/plain' | 117 self.response.headers['Content-Type'] = 'text/plain' |
94 self.response.write(text.encode('utf-8')) | 118 self.response.write(text.encode('utf-8')) |
95 | 119 |
96 def redirect(url): | 120 def redirect(url): |
97 self.response.status = 302 | 121 self.response.status = 302 |
98 self.response.status_message = 'Found' | 122 self.response.status_message = 'Found' |
99 self.response.headers['Location'] = url.encode('utf-8') | 123 self.response.headers['Location'] = url.encode('utf-8') |
100 | 124 |
(...skipping 19 matching lines...) Expand all Loading... | |
120 'client_secret': client_secret, | 144 'client_secret': client_secret, |
121 'redirect_uri': base_url + login.LOGIN_URL_RELATIVE, | 145 'redirect_uri': base_url + login.LOGIN_URL_RELATIVE, |
122 'grant_type':'authorization_code', | 146 'grant_type':'authorization_code', |
123 } | 147 } |
124 data = request('POST', OAUTH2_TOKENURL, token_params) | 148 data = request('POST', OAUTH2_TOKENURL, token_params) |
125 token = data.get('access_token') | 149 token = data.get('access_token') |
126 if not token: | 150 if not token: |
127 error('No token in response: ' + str(data)) | 151 error('No token in response: ' + str(data)) |
128 return | 152 return |
129 | 153 |
130 get_params = { | 154 email, is_admin = get_user_info(token) |
131 'access_token': token, | 155 if not email: |
132 } | |
133 data = request('GET', OAUTH2_DATAURL, get_params) | |
134 emails = [e for e in data.get('emails') if e['type'] == 'account'] | |
135 if not emails: | |
136 error('No email address in response: ' + str(data)) | 156 error('No email address in response: ' + str(data)) |
137 return | 157 return |
138 | |
139 email = emails[0]['value'] | |
140 is_admin = email in admins | |
141 self.response.headers['Set-Cookie'] = login._set_user_info_cookie(email, i s_admin) | 158 self.response.headers['Set-Cookie'] = login._set_user_info_cookie(email, i s_admin) |
142 redirect(continue_url) | 159 redirect(continue_url) |
143 | 160 |
144 action = self.request.get(login.ACTION_PARAM) | 161 action = self.request.get(login.ACTION_PARAM) |
145 continue_url = self.request.get(login.CONTINUE_PARAM) | 162 continue_url = self.request.get(login.CONTINUE_PARAM) |
146 continue_url = re.sub(r'^http:', 'https:', continue_url) | 163 continue_url = re.sub(r'^http:', 'https:', continue_url) |
147 base_url = 'https://%s/' % self.request.environ['HTTP_HOST'] | 164 base_url = 'https://%s/' % self.request.environ['HTTP_HOST'] |
148 | 165 |
149 if action.lower() == login.LOGOUT_ACTION.lower(): | 166 if action.lower() == login.LOGOUT_ACTION.lower(): |
150 logout(continue_url or base_url) | 167 logout(continue_url or base_url) |
151 elif self.request.get('error'): | 168 elif self.request.get('error'): |
152 error('Authorization failed: ' + self.request.get('error')) | 169 error('Authorization failed: ' + self.request.get('error')) |
153 else: | 170 else: |
154 code = self.request.get('code') | 171 code = self.request.get('code') |
155 if code: | 172 if code: |
156 login_step2(code, self.request.get('state') or base_url) | 173 login_step2(code, self.request.get('state') or base_url) |
157 else: | 174 else: |
158 login_step1(continue_url or base_url) | 175 login_step1(continue_url or base_url) |
159 | 176 |
160 login.Handler.get = get | 177 login.Handler.get = get |
161 | 178 |
179 from google.appengine.api import user_service_stub, user_service_pb | |
180 from google.appengine.runtime import apiproxy_errors | |
181 def _Dynamic_GetOAuthUser(self, request, response, request_id): | |
182 environ = self.request_data.get_request_environ(request_id) | |
183 match = re.search(r'^OAuth (\S+)', environ.get('HTTP_AUTHORIZATION', '')) | |
184 if not match: | |
185 raise apiproxy_errors.ApplicationError( | |
186 user_service_pb.UserServiceError.OAUTH_INVALID_REQUEST) | |
187 | |
188 email, is_admin = get_user_info(match.group(1)) | |
189 if not email: | |
190 raise apiproxy_errors.ApplicationError( | |
191 user_service_pb.UserServiceError.OAUTH_INVALID_TOKEN) | |
192 | |
193 # User ID is based on email address, see appengine.tools.devappserver2.login | |
194 user_id_digest = hashlib.md5(email.lower()).digest() | |
195 user_id = '1' + ''.join(['%02d' % ord(x) for x in user_id_digest])[:20] | |
Sebastian Noack
2015/06/04 21:51:43
WTF this algorithm, but I suppose we have to use i
Wladimir Palant
2015/06/04 23:19:54
Luckily, it doesn't seem to matter - Rietveld work
| |
196 | |
197 response.set_email(email) | |
198 response.set_user_id(user_id) | |
199 response.set_auth_domain(user_service_stub._DEFAULT_AUTH_DOMAIN) | |
200 response.set_is_admin(is_admin) | |
201 response.set_client_id(client_id) | |
202 response.add_scopes(OAUTH2_SCOPE) | |
203 | |
204 user_service_stub.UserServiceStub._Dynamic_GetOAuthUser = _Dynamic_GetOAuthUse r | |
205 | |
162 | 206 |
163 if __name__ == '__main__': | 207 if __name__ == '__main__': |
164 engine_dir = '/opt/google_appengine' | 208 engine_dir = '/opt/google_appengine' |
165 storage_path = '/var/lib/rietveld' | 209 storage_path = '/var/lib/rietveld' |
166 | 210 |
167 script_name, script_file = setup_paths(engine_dir) | 211 script_name, script_file = setup_paths(engine_dir) |
168 adjust_server_id() | 212 adjust_server_id() |
169 fix_request_scheme() | 213 fix_request_scheme() |
170 | 214 |
171 if script_name == 'dev_appserver.py': | 215 if script_name == 'dev_appserver.py': |
172 config = read_config(os.path.join(storage_path, 'config.ini')) | 216 config = read_config(os.path.join(storage_path, 'config.ini')) |
173 | 217 |
174 set_storage_path(storage_path) | 218 set_storage_path(storage_path) |
175 replace_runtime() | 219 replace_runtime() |
176 protect_cookies(config.get('main', 'cookie_secret')) | 220 protect_cookies(config.get('main', 'cookie_secret')) |
177 enable_oauth2( | 221 enable_oauth2( |
178 config.get('oauth2', 'client_id'), | 222 config.get('oauth2', 'client_id'), |
179 config.get('oauth2', 'client_secret'), | 223 config.get('oauth2', 'client_secret'), |
180 config.get('main', 'admins').split() | 224 config.get('main', 'admins').split() |
181 ) | 225 ) |
182 | 226 |
183 execfile(script_file) | 227 execfile(script_file) |
LEFT | RIGHT |